Using outsourcing to help meet your AML/CTF obligations (Reform)

Learn about the risks and the oversight needed if you’re going to use outsourcing to help meet your anti-money laundering and counter-terrorism financing (AML/CTF) obligations.

On this page

Reporting entities may outsource functions relating to their compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act) for a range of reasons, such as:

  • accessing specialist AML/CTF knowledge and expertise
  • managing the cost of compliance. 

If you outsource AML/CTF functions, you remain responsible for complying with your obligations under the Act and Anti-Money Laundering and Counter-Terrorism Financing Rules (the Rules). 

Generally, your business will remain legally liable for any:

  • breach of your AML/CTF obligations, even under outsourcing arrangements
  • penalty that arises from a breach.

We expect you to take steps to manage any risks of outsourcing and have appropriate oversight of your providers.

This guidance will help you: 

  • comply with your AML/CTF obligations when using outsourcing
  • identify, mitigate and manage your money laundering, terrorism financing and proliferation financing risks (we refer to these as ML/TF risks) and AML/CTF compliance risks
  • take steps to make sure the functions your business outsources are appropriate for your business
  • make sure outsourced service providers you use are appropriate for your business and its specific ML/TF risks.

What this guidance covers

Outsourcing in this guidance means arranging for a third party to carry out certain AML/CTF functions on your behalf.

Depending on the services you provide, you may outsource on:

  • a one-time basis. For example, to have someone develop your AML/CTF program
  • an ongoing basis. For example, to conduct customer due diligence (CDD), transaction monitoring or reporting.

This guidance provides our expectations and good practices when outsourcing your AML/CTF functions. It also notes certain legal obligations, such as record keeping, restrictions on sharing AUSTRAC information and suspicious matter report (SMR) information.

What’s not included in this guidance

The following activities aren’t covered in this guidance:

Effective management of outsourcing

The following steps may help you manage your outsourcing arrangements effectively and reduce potential risks when outsourcing.

1. Identify the risks that may arise through outsourcing 

Outsourcing can create:

  • ML/TF risk – where the use of outsourcing creates additional vulnerabilities in your business that criminals could exploit
  • AML/CTF compliance risk – where you may fail to meet your AML/CTF obligations due to poor due diligence, implementation or monitoring of outsourcing arrangements.

These risks may arise if an outsourced service provider:

  • doesn’t tailor its services to your business’s unique ML/TF risks
  • lacks the expertise or resources to conduct the relevant AML/CTF functions on your behalf
  • isn’t aware of the legal restrictions on information sharing under the Act
  • isn’t subject to adequate oversight and monitoring during the arrangement.

Failure to address these risks could lead to systemic and serious non-compliance with your AML/CTF obligations.

Consider whether any proposed outsourcing is in line with the level of risk your board or senior management is willing to accept.

Outsourcing your customer monitoring

It’s critical that any outsourcing of customer monitoring is based on a thorough ML/TF risk assessment. This includes an understanding of the ML/TF risks and specific indicators of suspicious activity relevant to your business.

Without this, customer monitoring won’t be effective and may:

  • monitor for ML/TF risks and suspicious activities that aren’t relevant to your business
  • fail to monitor ML/TF risks and suspicious activities that are relevant to your business
  • lead to failures in reporting. For example, failure to submit suspicious matter reports (SMRs) as required under the Act.

Learn more about monitoring your customers.

You must make sure that you are complying with your Privacy Act obligations when disclosing know your customer (KYC) information to a third party. 

Learn more about your obligations under the Privacy Act at the Office of the Australian Information Commissioner.

2. Conduct due diligence and train outsourced service providers

This section refers to the Rules section 5–8 and 5–9.

You must conduct personnel due diligence and provide training to persons who perform or will perform functions relevant to your AML/CTF obligations.

This includes outsourced service providers you engage, such as: 

  • contractors or consultants
  • volunteers or interns (paid and unpaid)
  • people employed by service providers you use.

Personnel due diligence

Before you enter an outsourcing arrangement, and during your business relationship, you must conduct appropriate due diligence on the outsourced service provider. 

You must assess the outsourced service providers: 

  • skills, knowledge and expertise relevant to their AML/CTF responsibilities
  • integrity. 

This is to make sure they can properly:

  • conduct the relevant AML/CTF functions on your behalf
  • consider any ML/TF risks and AML/CTF compliance risks you have identified.

Examples of factors you may want to consider include the outsourced service provider’s:

  • experience delivering the services required
  • qualifications or expertise relevant to AML/CTF and your industry
  • willingness to agree to performance monitoring. This includes mechanisms for dealing with any breaches of the arrangement.

Some methods you could use to verify your outsourced service provider’s suitability include:

  • a demonstration of their services
  • an explanation of how they’ll tailor their services to suit your business
  • verification of their AML/CTF or other relevant qualifications, resourcing and performance history
  • references from businesses like yours that have previously engaged the outsourced service provider. 

The following could indicate that an outsourced service provider has sufficient experience or knowledge to conduct the relevant AML/CTF functions, if they:

  • have experience providing AML/CTF services to businesses of a similar nature, size and complexity to yours
  • understand your industry, type of business or its ML/TF risks, or take sufficient steps to understand these factors
  • offer products tailored to your business
  • develop their products after consulting you about your specific ML/TF environment.

Training

In practice, you’ll often retain an outsourced service provider due to their expertise in AML/CTF compliance and related matters. 

  • In these situations, training will generally involve providing the outsourced service provider with the knowledge they require to tailor their products to your business. This could include providing the outsourced service provider with information on: the factors that could give risk to ML/TF risks, including the nature of your designated services, how they’re delivered, your customer types and the jurisdictions you deal with in providing your services
  • the way your business’s typical customer lifecycle works, from customer onboarding to ending an engagement with a customer
  • the nature of your existing policies, systems, procedures and controls
  • any other relevant sector-specific information your outsourced service provider may require creating their product. 

Learn more about personnel due diligence and training

3. Understand legal restrictions on sharing information with outsourced service providers

There are legal restrictions on sharing certain types of information. Criminal penalties apply to unauthorised disclosures of:

  • information about SMRs and notices issued under sections 49 and 49B of the Act, known as tipping off
  • information provided to you by our staff. 

You may need to disclose this information to external service providers, for example, to help review or uplift your AML/CTF reporting, transaction monitoring, or record-keeping functions. 

You are not prohibited from disclosing information covered by the tipping off offence, provided that the disclosure would or could not reasonably be expected to prejudice an investigation. 

For example, it could prejudice an investigation if information: 

  • gets back to a person who may be involved in criminal activity
  • gets back to someone they are associated with, or
  • is publicly released.

You can reduce tipping off risks by adopting controls over the information you disclose to ensure appropriate confidentiality and security requirements are met. 

We also expect you to verify that your external providers have appropriate controls in place to reduce the risk of tipping off. 

Learn more about controls you can adopt to avoid tipping off.

You may wish to obtain legal advice before entering an outsourcing arrangement. This could involve SMR reporting obligations, our information, or notices issued under sections 49 or 49B of the Act.

There may also be other legal restrictions on information sharing that apply to you, such as privacy laws.

4. Consider using a written agreement for outsourcing

You could consider outsourcing through a written and legally binding outsourcing agreement.

The agreement could:

  • outline the services and performance targets the outsourced service provider will need to meet to conduct the relevant AML/CTF functions on your behalf
  • provide oversight mechanisms to make sure that the outsourced service provider is producing the agreed services and meeting the agreed performance targets
  • include mechanisms to manage compliance risks if the relevant AML/CTF functions aren’t conducted properly.

For one-off outsourced services, the written agreement could be relatively simple. For example, it could require your outsourced service provider to produce a particular product to an agreed standard. It could also require the provider to rectify any failures to meet this standard in a timely manner. 

For ongoing outsourcing arrangements, we expect you to adopt more substantial oversight, monitoring and review standards. This makes sure that the outsourced service provider is continuing to conduct their agreed AML/CTF function on your behalf.

General details 

The outsourcing agreement may include the following details, depending on the type of agreement:

  • when the agreement starts and ends
  • whether the service is to be provided on an ongoing or one-off basis
  • the details of the individual in your business who will oversee and be responsible for the agreement
  • specific details about what steps and obligations the outsourced service provider will complete and how this will fit into your business processes
  • business continuity plans in case the outsourced service provider fails to conduct the relevant AML/CTF function on your behalf
  • oversight, monitoring and review provisions for ongoing outsourcing arrangements
  • expected service standards, including reporting arrangements and quality assurance processes
  • if the outsourced service provider holds any data, who owns and controls that data. This includes whether you can share the outsourced service provider’s data externally with regulators, other institutions, clients and others if needed
  • details of how you and your outsourced service provider will implement the outcomes of any independent reviews.

Performance targets

You could design your performance targets to provide assurance that the relevant AML/CTF functions will be conducted on your behalf if the outsourced service provider meets the targets.

For one-off outsourced services, performance targets would typically include quality and timeliness standards that align with your AML/CTF obligations.

For example, performance targets for an outsourced AML/CTF program might include that the program:

  • is delivered before you’re legally required to adopt it. For example, before you start to provide a designated service to a customer
  • contains all the mandatory aspects of an AML/CTF program required to identify, mitigate and manage your ML/TF risks
  • is tailored to your business and can be adopted by your business with reasonable adjustments to your systems.

Avoid generic AML/CTF programs

We expect you to avoid using template or global AML/CTF programs (which aren’t Australia-specific).

AML/CTF obligations and ML/TF risks differ between countries, regions and individual businesses. Template AML/CTF programs are generally not tailored to your business and its ML/TF risks. Global AML/CTF programs often don’t consider your obligations under the Act and Rules.

If you adopt a template or global AML/CTF program, this could lead to serious and systemic compliance failures with your AML/CTF obligations.

Learn more about AML/CTF programs.

You could require additional performance targets for ongoing outsourcing arrangements, such as:

  • requirements for the outsourced service provider to regularly report on their adherence to the agreed performance targets
  • a maximum number of breaches allowed before a review of the agreement is initiated
  • maximum timeframes to implement changes to the agreement if your ML/TF risks or circumstances change
  • record keeping targets that align with your record keeping obligations.

For example, performance targets for outsourcing reports to us might include a:

  • requirement to submit all reports within statutory timeframes
  • quality target to include all mandatory reportable details in reports
  • record keeping target to retain all relevant records of reports
  • requirement to provide you with an implementation plan within a set timeframe if the outsourced service provider is going to change their systems following an independent review of your AML/CTF program.

Verification of performance

You could check that the outsourcing agreement includes appropriate oversight clauses to verify that your outsourced service provider is meeting their agreed performance targets.

One-off outsourced services will often be straightforward. This typically involves your outsourced service provider producing draft and final products for your review within agreed timeframes.

For ongoing outsourcing arrangements, you may require that the outsourced service provider:

  • documents actions under the outsourcing agreement in writing and provides records to you when requested
  • notifies you of any suspected non-compliance with your AML/CTF obligations and emerging ML/TF risks
  • subjects themselves to ongoing due diligence and service quality checks against the agreed performance targets
  • cooperates with scheduled independent reviews of outsourcing arrangements and associated ML/TF risks.

Breaches of the agreement

Your outsourcing agreement could include options for you to take a proportionate response to any breaches of the agreement.

Responses taken are expected to be in accordance with your AML/CTF program, the level of AML/CTF compliance risk or ML/TF risk you assess in relation to the breach. 

Responses could include:

  • requirements for the outsourced service provider to remedy any breach of the agreement within a specified timeframe
  • suspension of the agreement until identified deficiencies are addressed
  • termination of the agreement in cases of serious or systemic non-compliance with AML/CTF obligations or the outsourcing agreement
  • escalation of breaches to your board or senior management for action.

You must also make sure that you meet your record keeping obligations for any possible non-compliance caused by the breach.

5. Monitor and review outsourcing arrangements

For one-off outsourced services—such as the development of your AML/CTF program—you could evaluate the service against the performance targets you’ve agreed to with the outsourced service provider. This is to make sure the service provided meets your AML/CTF obligations. 

For ongoing outsourcing arrangements, you could continue to monitor and review the arrangement including to:

  • verify that the outsourced service provider is meeting its targets under the agreement
  • confirm that your business is meeting its AML/CTF obligations while using the outsourcing arrangement
  • adjust the arrangement considering any changes to the ML/TF risks your business is likely to be exposed to.

This will help you detect non-compliance and mitigate potential ML/TF risks arising from the ongoing outsourcing arrangement.

You could set reviews of ongoing outsourcing arrangements at regular intervals and not just in response to events or incidents, such as a potential breach.

We expect you to make sure the processes you use to monitor the outsourced service provider are proportionate to the level of AML/CTF compliance risks and ML/TF risks you’ve identified with the outsourcing arrangements.

Examples you may want to consider include:

  • asking the outsourced service provider to report periodically on how they’re meeting the performance measures agreed to in the outsourcing arrangement
  • reviewing the outsourced service provider’s documented procedures and processes periodically
  • reviewing random samples of the relevant AML/CTF functions the outsourced service provider has conducted. For example, to check how CDD procedures are conducted and whether they comply with your AML/CTF obligations
  • comparing expected outcomes versus actual outcomes. For example, the number of reportable transactions or SMRs generated may be higher or lower than expected or the content of SMRs may not align with your expected ML/TF risks.

If the outcomes of your monitoring and reviews aren’t what you expect, it’s important to investigate and understand the causes so that you can take appropriate action.

For example, if a transaction monitoring program facilitated by an outsourced service provider isn’t picking up suspicious activities in line with your expectations. You could consider if the issue is caused by the outsourcing arrangement, an incorrect assessment of ML/TF risks, or other factors.

6. Document procedures for managing outsourcing arrangements in your AML/CTF program

This section refers to the Act section 116.

You must keep records to demonstrate compliance with your obligations. We expect this will include how you’ve done all of the following:

  • assess any AML/CTF compliance risks or ML/TF risks arising from an outsourcing arrangement
  • conduct due diligence on potential outsourced service providers
  • evaluate whether the service delivered meets your requirements and how you’ll remediate any identified issues
  • monitor and review ongoing outsourcing arrangements, including who is responsible for acting on any findings.

We expect you to also keep records demonstrating how your board or senior management (if your business doesn’t have a board) have done all of the following:

  • be responsible for the oversight, accountability and resourcing required to identify, mitigate and manage the AML/CTF compliance and ML/TF risks of outsourcing
  • receive reports on AML/CTF compliance and ML/TF risks arising from outsourcing arrangements
  • effectively resolve non-compliance with outsourcing agreements and adapt to changing ML/TF risks.

Good outsourcing practices

  • Develop an AML/CTF program that identifies, mitigates and manages AML/CTF compliance risks and ML/TF risks that may arise from outsourcing.
  • Conduct due diligence on your outsourced service provider to verify that they can conduct the relevant AML/CTF functions on your behalf.
  • Have senior management oversight of your outsourcing arrangements and responsibility for dealing with AML/CTF compliance risks and ML/TF risks.
  • Make sure that the outsourced service provider tailors their products to your business’s ML/TF risks, designated services, customer types, jurisdictions and methods of delivery.
  • Make sure you understand your legal obligations in relation to outsourcing and information sharing under the Act and obtain legal advice where necessary.
  • Have a written and legally binding outsourcing agreement, including clear responsibilities and performance targets that the outsourced service provider must meet to effectively conduct the relevant AML/CTF functions on your behalf.
  • Include oversight and breach clauses in outsourcing agreements that allow you to quickly detect any oversights and breaches.
  • Escalate non-compliance to senior management for appropriate action.
  • Actively monitor your outsourced service provider and their adherence to the performance measures agreed to.
  • Review the ongoing outsourcing arrangements to make sure they continue to meet your needs. 

This guidance sets out how we interpret the Act, along with associated Rules and regulations. Australian courts are ultimately responsible for interpreting these laws and determining if any provisions of these laws are contravened. 

The examples and scenarios in this guidance are meant to help explain our interpretation of these laws. They’re not exhaustive or meant to cover every possible scenario.

This guidance provides general information and isn't a substitute for legal advice. This guidance avoids legal language wherever possible and it might include generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

Last updated: 15 Oct 2025
Page ID: 1356

Was this page helpful?

Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.